Demand for data diodes’ extreme security likely to accelerate

Trends and challenges around cybersecurity, critical infrastructure and industrial assets mean there is a growing number of situations where data diodes – network hardware devices that use the laws of physics to ensure a one-way data flow – will be optimal cybersecurity solutions.

The decision on whether to use data diodes is typically driven by an assessment of the value of precluding either inbound or outbound data flow versus certain inefficiencies, limitations and costs inherent in using data diodes.

While we don’t foresee a major inflection point for data diode demand in the near term, we do foresee an eventual tipping point where cost reductions, expanded protocol support and creative solutions to management challenges aggregate to substantially eliminate the tradeoffs for a much broader range of applications and make data diodes a compelling choice.

We highlight four data diode vendors that target a variety of constituents in the market.

Data diodes – a one-way street for data becoming more compelling

Society and the economy have benefitted immensely by connecting industrial assets and critical infrastructure to a broad range of distributed constituencies, and we think these connections will only grow as they enable more efficiencies and new opportunities to create value. At the same time, more connections mean more assets and infrastructure are exposed to attacks by malicious organizations and governments who use increasingly sophisticated tools and approaches to circumvent traditional cybersecurity defenses. A factor compounding this threat is that most traditional cybersecurity solutions were created for and are primarily used in environments with computing devices that use a small set of standard and well-known communication protocols and operating systems; by contrast, the world of industrial and infrastructure connections features a much more diverse range of protocols and operating systems that many traditional cybersecurity solutions don’t adequately address.

TABLE 1: Diode illustration

Source: Fend, First Analysis.

Given these trends and challenges, we believe there is a growing number of situations where data diodes, perhaps integrated with or combined in innovative ways with traditional software-based firewalls as well as non-diode hardware-based firewalls, will be optimal cybersecurity solutions. Data diodes are network hardware devices that use the laws of physics to ensure a one-way data flow. In a data diode, a transmitter converts data to a protocol, usually pulses of light, which is directed over a small gap to a receiver that can recognize the light signals. The receiver reassembles the data in its original form, or sometimes in a new protocol, for further transmission to other computer systems. Since the receiver is not physically connected to the transmitter and since the receiver can only receive (it has no ability to generate light signals and lacks other transmission capabilities) and the transmitter can only transmit (it has no light receptors or other receiving capabilities), there is no possible return path for data within the device. We illustrate the data flow in Table 1 and show an example of what a diode looks like in Figure 1.

Fend XE diode

Source: Fend.

Data diodes were first used in the 1980s, mainly in military and government sectors to protect weapon systems and sensitive information. Since 2000, use has expanded to some regulated critical infrastructure and has been mandated in the United States by the Nuclear Regulatory Commission to protect parts of the nuclear ecosystem. Over the past few years, use has expanded into more critical infrastructure as well as some general commercial applications.

Two primary use cases

For organizations where the paramount concern is making sure malicious parties don’t penetrate internal systems via network connections, data diodes can preclude any data from entering while still allowing data to exit. In this case, the data diode protects the network and assets on the transmitting side of the connection from a cyberattack. There is simply no path for malware to enter the network. So even if assets on the protected side have vulnerabilities – unknown or known but difficult to patch – the outside world has no means to exploit the vulnerabilities remotely. As a result, users of data diodes do not have to worry about their cybersecurity vendors finding exploits and updating systems to look for and block malware. A typical use case would be to share an industrial asset’s diagnostic information over a network with many constituents at many disparate locations, such as decentralized maintenance staff and contractors (Table 2). The information from the asset can be transmitted to the outside world, but no data can return to the asset. The inability to address a problem with the asset through inbound communication may slow corrective action, but this is the tradeoff for protecting the asset from damage or abuse in an attack.

TABLE 2: Primary use case – protecting critical infrastructure (outbound data flows only)

Source: Fend, First Analysis.

For organizations where the paramount concern is making sure data does not escape over network connections, data diodes can preclude any data from exiting while still allowing data to enter. Intelligence gathering applications are a good example. Intelligence officers want a broad range of inputs from the internet and elsewhere to flow into their computers for analysis. However, the insights gathered are highly sensitive and should not be shared. For these users, data diodes can prevent attackers from extracting internal data even if the attackers successfully penetrate the network with malware through inbound data flows. While the computers and servers on the protected side of the data diode are vulnerable to cyberattack, the risk is limited to slowing or shutting down the operation – there is no risk of leaking classified information through the network connection.

Trade offs of using data diodes are diminishing

As discussed above, the decision as to whether to use data diodes is typically driven by an assessment of their trade offs and limitations. We group these in three categories:

1. Cost and throughput – Historically, data diodes have been much more expensive than software, rules-based firewalls. Costs have been coming down in recent years, but the cost per megabyte of throughput is still high relative to less-secure solutions.
2. Limited protocol support – Data passing through a diode arrives in some protocol. Protocols include transmission control protocol/internet protocol (TCP/IP), file transfer protocol (FTP), other widely adopted protocols, and thousands of proprietary protocols used in operational infrastructure. Unlike software firewalls, which can pass data through without change, data diodes must completely deconstruct data to convert it to a series of light pulses on the transmitter side and then accurately reconstruct the data on the receiver side, either in the same protocol or a different one. For example, in operational technology (OT) applications, the protected transmitter side may support numerous proprietary protocols while the open network receiver side reconstructs the data in TCP/IP packets easily digested by common internet devices. The process of preserving the integrity of video images, emails, and other forms of information through these conversions is complex. This complexity and the prevalence of myriad proprietary protocols in industrial and infrastructure applications mean the number of protocol conversions supported – and hence the range of assets where data diodes can be used – is limited.
3. Management challenges – Most current cybersecurity solutions and networked devices can be administered, updated, patched and configured remotely. But when data diodes are used to protect a network from malicious attack by precluding inbound data flows (Table 2), the transmitting side of the data diode and connected devices behind it cannot be accessed remotely. This means technicians must be physically on site (or at least on the protected side of the network) to investigate and correct issues. When data diodes are used to keep sensitive data from escaping by precluding outbound data flows (Table 3), this problem is less severe because remote instructions and data can enter the protected network. However, the success of such remotely initiated changes cannot be verified by return communication, so local personnel must confirm if the changes succeeded.

TABLE 3: Primary use case – intelligence gathering (inbound data flows only)

Source: Fend, First Analysis.

We think gradually increasing demand for data diodes will naturally diminish the first two limitations by enabling economies of scale that reduce production costs and enabling investment to support more protocols. Reducing management challenges may be more daunting. The industry realizes this and is coming up with clever solutions. Many of these involve allowing very limited two-way communication for special pre-programmed data types or during limited, highly monitored time periods. Some use highly specific rules combined with a paired data diode to permit data flows in the otherwise blocked direction. These solutions still benefit from the enhanced security of a hardware device with a complete physical break in the communication stream; however, allowing any two-way communication is inherently less secure than allowing none, so some tradeoffs around management challenges will likely persist indefinitely.

While we don’t foresee a major inflection point for data diode demand in the near term, we do foresee an eventual tipping point where cost reductions, expanded protocol support and creative solutions to management challenges aggregate to substantially eliminate the tradeoffs for a much broader range of applications in OT and the Internet of Things.

Some leading data diode technology providers

Numerous companies provide data diodes around the world. Many compete primarily in a single country or region due to their history protecting military and government assets. The primary competition for the industry as a whole is the more-commonly deployed software, rules-based firewall. Within the data diode market, providers compete across a number of dimensions including cost, customer support capabilities, certifications and rights to provide the technology in given geographies, number and type of protocols supported, throughput speeds, form factors, and system management capabilities.

We highlight four data diode vendors, three of which are more mature suppliers that are well known in the United States and a substantial number of other countries and one of which is a relative newcomer we think is attracting some attention in the industry.

BAE Systems – This large U.K.-based company is traded on the London Stock Exchange and provides some of the world’s most advanced, technology-led defense, aerospace and security solutions. It employs a skilled workforce of 90,000 people in over 40 countries. Among its numerous offerings are data diodes under the Data Diode Solution brand and what it calls its next-generation technology under the XTS Diode brand. It offers numerous configurations in terms of bandwidth, size and protocol support for both tactical and enterprise deployments. It has data diodes that meet the specifications of government and regulatory agencies in many countries and include versions that respect the technology and export rules of the political areas in which it operates. We consider BAE a highly capable supplier that can satisfy a wide range of standard and special or custom requirements with a strong presence in government and defense markets. We also believe this broad capability and flexibility comes with a price and do not expect BAE to be one of the players offering dramatically lower cost to expand the market.

Fend – Virginia-based Fend is a relative newcomer to the market, having started operations in 2017 and only bringing its American-made, Department-of-Defense-tested offerings to market in recent years. While small today, Fend believes it has a disruptive offering characterized by better price for performance as well as an innovative subscription cloud offering. From a market perspective, Fend’s focus is on critical infrastructure, with a mission to bring data from this infrastructure to the cloud. We believe its data diodes are priced below diodes with similar throughput if purchased outright. It offers a data-as-a-service option that deploys its data diodes where needed to obtain operational data from customer networks in a secure manner and provides access to that data through the cloud to customers and their partners for collection and analysis. We think this is an intriguing offering for its target market. The offering is priced on a per-month basis with the cost of the diode included in the subscription. As a relative newcomer, Fend does not support as many protocols or have as wide a variety of form factors or throughput options as some of its more mature competitors. Nevertheless, we think Fend is a company to watch as a potential disrupter in the market.

Owl Cyber Defense – Founded in 1999 and a portfolio company of private equity firm DC Capital Partners, Owl is a well-known player in the data diode market. In 2019 Owl Cyber Defense merged with Tresys Technology to increase its presence in the hardware-centric firewall market. Owl is based in Columbia, Md., and also has offices in Connecticut and the United Arab Emirates. As an early player in the market, it has some roots in the high-security government and regulated markets; however, it has a mature commercial side as well, so it has some of the most complete libraries of industrial control protocols and can support a wide variety of government and commercial implementations without significant customization or professional services. It has a wide product lineup with products optimized to support various deployment use cases from single-purpose, low-speed, cost-optimized solutions to rack-mounted, multi-purpose solutions. It promotes the value of hardware-based firewalls broadly, with its data diode products being an important focus. Owl is working to address some of the management, throughput and cost-of-ownership issues that have been obstacles to adoption historically and has some aggressively priced options to help spur overall market growth.

Waterfall Security Solutions – Waterfall was founded in 2007. It is headquartered in Israel and has offices in six countries including the United States. The venture-capital backed company is on a mission to bring data diodes and the hardware-based security of unidirectional gateways to the OT world. While many data diode competitors emphasize defense and government customers, Waterfall focuses on industrial customers, specifically targeting power utilities, oil and gas companies, water utilities, manufacturers, miners, and the rail transport industry. It supports or can easily interact with a wide variety of industrial protocols from companies such as Siemens and Emerson. It also provides connections to enterprise monitoring applications from companies such as Splunk, Dragos and IBM. It addresses some of the management challenges inherent in data diodes with innovative solutions such as its Waterfall Flip, which allows the diode orientation to be reversed at scheduled times to allow update and patch information to enter the protected side of the network. While some of its communication and management advantages come with tradeoffs unsuitable (and perhaps in some cases not allowed by regulations) for certain of the most secure use cases, the compromises can be appropriate in many situations given the higher overall level of security versus pure software firewalls. We believe this practical approach is a hallmark that makes Waterfall compelling for its target customers.

Data diodes: No longer so extreme

The extraordinary security enabled by using the laws of physics to preclude two-way communication combined with limitations inherent in that approach historically meant data diodes were used mainly in narrow applications related to national defense. But as technology advances and as the cybersecurity threat to critical infrastructure and other sensitive assets grows, demand is increasing for data diodes in a much wider range of applications. Lives and much of the world economy are now dependent on the integrity and stability of electronic networks, making safeguards that once appeared extreme seem less so day by day. With data diodes gradually moving toward the mainstream of security technology, we expect the market for data diode technology to grow substantially.